PCPD e-Newsletter
MESSAGE FROM THE PRIVACY COMMISSIONER
2020 had been an exceptionally challenging year for all. The COVID-19 pandemic has brought unprecedented challenges to all sectors of the community and the Office of the Privacy Commissioner for Personal Data (PCPD) is of no exception. Other than discharging our normal functions under the Personal Data (Privacy) Ordinance (the Ordinance) in the past year, we strove hard to provide our views and observations to the Government and other stakeholders on a myriad of data privacy issues arising from the use of new technology to combat the pandemic. During the year, we published a series of practical advisories and guidance notes to provide guidance on the handling of COVID-19-related privacy issues to employers and employees, schools, students, as well as users of video conferencing software.
Looking ahead, the year 2021 marks the 25th Anniversary of the PCPD. Established in 1996, the PCPD has been an enforcer, promoter and educator entrusted to protect personal data privacy under the Ordinance — the first comprehensive data protection law enacted in Asia in 1995. Our 25th Anniversary slogan “Guardian • Privacy • 25 Years” (守護 • 私隱 • 廿五載) sums up our role as the guardian of personal data privacy over the years.
As 2021 begins, the PCPD will be organising a series of events to celebrate our 25th Anniversary. The first one was the publication on 28 January of the results of a public opinion survey to gauge, among other things, the public’s awareness and attitude towards the protection of personal data privacy. The inaugural Privacy-Friendly Awards, a flagship event of the Anniversary programme, is designed to publicly recognise organisations with outstanding achievements in the protection of personal data privacy. The Award winners would be announced at a semi-virtual award presentation ceremony to be held in March this year, and this will be followed by thematic live online public seminars, the launch of a series of one-minute videos, and other publicity campaigns. Please stay tuned for our latest updates.
May I take this opportunity to wish you a very healthy and joyous year ahead!
Ms Ada CHUNG Lai-ling
Privacy Commissioner for Personal Data, Hong Kong
PRIVACY 101
|
Tips on Preparing PICS
What is a Personal Information Collection Statement (“PICS”) and how do you draft one?
PRIVACY COMMISSIONER'S FINDINGS
|
A Bank Improved its Personal Data Update Webpage by Adopting Setting to Obtain Customers’ Valid Consent Before Using Their Personal Data for Direct Marketing
TECH TALK
|
Instant Messaging App Changes its Terms of Service and Privacy Policy
RECOMMENDED ONLINE TRAINING
|
Free Online Seminars: Introduction to the Personal Data (Privacy) Ordinance
|
Professional Workshops on Data Protection
(Feb - Mar 2021)
WHAT'S ON
|
Media Briefing on the PCPD's Work in 2020
|
PCPD Sets up Enquiry/Complaint Hotline About Doxxing: 3423 6666
|
PCPD Releases the Results of a Survey on Protection of Personal Data Privacy
|
Privacy Commissioner Awarded The Hong Kong Institute of Chartered Secretaries Prize 2020
|
Privacy Commissioner Delivered Speech at 2nd “PaMa Café: My Kids x Internet” Closing Ceremony
|
Privacy Commissioner Attended Meeting of LegCo Panel on Constitutional Affairs
GLOBAL PRIVACY LANDSCAPE
|
GDPR: Fines Increased by 40% Last Year, and They're about to Get a Lot Bigger
|
CDC Will Collect Personal Data On Vaccine Recipients, Raising Privacy Concerns
|
"Together for a Better Internet" – Safer Internet Day (9 Feb)
PRIVACY 101
|
What is a Personal Information Collection Statement (“PICS”) and how do you draft one?
According to Data Protection Principle (“DPP”) 1(3) of the Personal Data (Privacy) Ordinance (the “Ordinance”), a data user (typically an organisation) must take all practicable steps to notify the data subjects (e.g. customers and employees) of the purpose of data collection, and the classes of persons to whom the data may be transferred. A PICS is a statement given by a data user for the purpose of complying with the notification requirements under DPP 1(3) of the Ordinance.
A PICS should be given to a data subject whenever a data user collects personal data from him/her. Key elements of a PICS include:
- Statement of purpose
- Whether the provision of certain data is obligatory or voluntary
- Statement of possible transferees
- Statement of rights of access and correction and contact details
- Notice of contact person for requesting access or correction
- Obtaining consent on direct marketing (if applicable)
DOs and DON’Ts when preparing a PICS
DO
- Use user-friendly language and presentation style
- Include statement of security measures
- Include link to Privacy Policy Statement (“PPS”), a general statement about a data user’s privacy policies and practices in relation to the personal data it handles
DON'T
- Use a statement of purpose that is too vague or too wide in scope
- Use the same PICS for different collection purposes
For more practical tips and examples on how to draft a PICS and PPS for your organisation, please refer to this Guidance Note issued by the PCPD.
|
TECH TALK
|
Instant Messaging App Changes Its Terms of Service and Privacy Policy
An instant messaging app widely used in Hong Kong had recently announced changes to its Terms of Service and Privacy Policy. To continue using the messaging app, user would need to agree to share their information with the parent company of the messaging app and its subsidiaries before a specified date.
The change has caused widespread concern among users across the globe. The PCPD issued a media statement on 11 January 2021, appealing to users to carefully consider the new Terms and Privacy Policy and to the messaging app to extend the period for consideration to allow ample time for users to understand and consider the new Terms and Privacy Policy.
The messaging app has since then extended the deadline for agreeing to the new Terms and Privacy Policy. The Privacy Commissioner welcomed the new arrangement and called on the messaging app to provide further information and sufficient explanation to alleviate the public’s concern.
PRIVACY COMMISSIONER'S FINDINGS
|
A Bank Improved its Personal Data Update Webpage by Adopting Setting to Obtain Customers’ Valid Consent Before Using Their Personal Data for Direct Marketing
The complaint
The complainant was a customer of a bank. He updated his contact information through its online banking service. When he input his new contact information on the personal data update webpage, he was asked whether he “do not accept the use of customer’s personal data for direct marketing by the bank”. As the complainant had previously made a written opt-out request to the bank, he believed that he did not need to tick the box to confirm that he did not consent to the use of his personal data for direct marketing by the bank. On the basis that the complainant had not ticked the above-mentioned box, the bank considered that he had cancelled his previous opt-out request and regarded the complainant as a customer who consented to the use of his personal data for direct marketing. The bank later gave the complainant a direct marketing call. The complainant then complained to the PCPD that the bank did not comply with his opt-out request.
Outcome
The PCPD reiterated to the bank that the complainant did not consent to the use of his personal data for direct marketing by the bank, and the bank confirmed that no direct marketing message would be sent to the complainant anymore. Moreover, the PCPD urged the bank to review its personal data update webpage to ensure that customers were given a clear and genuine choice to decide whether to accept the use of their personal data for direct marketing.
The bank agreed that the flow of handling customers’ opt-out requests should be fair and transparent to the customers. Hence, the bank had improved the personal data update webpage by changing the wording of the box from “do not accept the use of customer’s personal data for direct marketing by the bank” to “accept the use of customer’s personal data for direct marketing by the bank”. If customers did not tick the box, the bank would not use their personal data for direct marketing.
Lesson learnt
Under the Personal Data (Privacy) Ordinance, a data subject’s “consent” to the use of his personal data for direct marketing by data users can include the data subject’s “indication of no objection”. However, to satisfy the definition of “indication of no objection”, the data subject must have expressly indicated that he does not object to the use of his personal data for direct marketing by data users. In other words, for a customer who has already made an opt-out request to the bank, even when the bank asks again if he would accept direct marketing and he does not respond, the bank cannot conveniently presume that he “consented” to the use of his personal data for direct marketing, or he wanted to cancel his previous opt-out request.
When collecting customers’ personal data or allowing them to make an opt-in or opt-out choice online or through applications, organisations should adopt the Privacy-by-Design approach to ensure that organisations collect and use customers’ personal data for direct marketing only when customers are clearly informed and their genuine consent is obtained. By doing so, organisations not only win trust from customers, but also enhance their professional image in the industry, as well as the effectiveness of direct marketing.
Media Briefing on the PCPD's Work in 2020 (28 Jan 2021)
Privacy Commissioner Ms Ada CHUNG Lai-ling reported on the work of the PCPD in 2020 in a media briefing held on 28 January 2021. She also outlined PCPD’s strategic focus for 2021, including privacy protection amidst technological development and enhanced enforcement.
PCPD Sets up Enquiry/Complaint Hotline About Doxxing: 3423 6666 (28 Jan 2021)
The PCPD announced on 28 January 2021 that a hotline was set up to receive enquiries or complaints about doxxing behaviour. The hotline will be answered by dedicated officers.
Service Hours:
Monday to Friday
8:45 a.m. to 12:45 p.m. &
1:50 p.m. to 5:40 p.m.
(Voicemail recording is available outside service hours)
For more information to combat doxxing, please visit the thematic webpage.
PCPD Releases the Results of a Survey on Protection of Personal Data Privacy (28 Jan 2021)
The PCPD released the results of a survey on 28 January 2021. In 2020, the PCPD commissioned the Social Sciences Research Centre of The University of Hong Kong to conduct a survey to understand the public awareness and attitude on the protection of personal data privacy; the work of organisations in protecting personal data privacy; and how supportive they were of suggested amendments to the Personal Data (Privacy) Ordinance.
Privacy Commissioner Awarded The Hong Kong Institute of Chartered Secretaries Prize 2020 (25 Jan 2021)
Privacy Commissioner Ms Ada CHUNG Lai-ling (left) received the HKICS prize from Ms Edith Shih, the immediate Past International President of The Chartered Governance Institute.
The Privacy Commissioner was awarded The Hong Kong Institute of Chartered Secretaries Prize (the HKICS Prize) 2020 by The Hong Kong Institute of Chartered Secretaries in recognition of her significant contributions to the company secretary and governance profession, and the development of the Institute over a substantial period. The award was presented in the HKICS Annual Celebration 2021 - Mask-uerade Parade held on 25 January 2021.
First presented in 2010, the HKICS Prize is decided by a Judging Panel comprising selected past presidents, current Council members and fellows of the HKICS and represents the highest honour recognised by company secretaries and governance professionals.
Privacy Commissioner Delivered Keynote Speech at 2nd “PaMa Café: My Kids x Internet” Closing Ceremony (23 Jan 2021)
The Privacy Commissioner delivered a pre-recorded keynote speech at the “2nd PaMa Café: My Kids x Internet Online Closing Ceremony” organised by WebOrganic of the Hong Kong Council of Social Service on 23 January 2021. She reminded young people to be vigilant about online lewd traps and parents to be mindful of the potentially long-lasting impact of the digital footprints of their children's online activities. The event was part of the Safer Internet Day 2020 programme organised by WebOrganic to promote proper parenting methods on internet use.
Privacy Commissioner Attended Meeting of LegCo Panel on Constitutional Affairs
(18 Jan 2021)
The Privacy Commissioner briefed Members of the Legislative Council at the meeting of the Legislative Council Panel on Constitutional Affairs ("the Panel") on 18 January 2021 on the work of the PCPD in 2020, such as measures to combat doxxing and issue of a number of advisories to provide practical guidance in relation to privacy issues arising from the COVID-19 pandemic.
|
|
RECOMMENDED ONLINE TRAINING
Free Online Seminars: Introduction to the Personal Data (Privacy) Ordinance
Check out our FREE public online seminars to deepen your understanding of the Ordinance.
Time: 3:00pm - 4:30pm
Key Takeaways:
- A general introduction to the PDPO
- The six Data Protection Principles
- Offences & compensation
- Direct marketing
- Q & A session
|
Professional Workshops on Data Protection (Feb - Mar 2021)
Time: 2:15 - 5:15 pm
If you enrol for any of the professional workshops above, you will receive a FREE copy of "SME Personal Data Protection Toolkit" with a set of learning cards, and "A Brief Summary on the Regulations in the Mainland of China Concerning Personal Information and Cybersecurity Involved in Civil and Commercial Affairs" (in Chinese only).
|
|
|
Contact Us
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.